-
Notifications
You must be signed in to change notification settings - Fork 17.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/x509: CRL generated by Certificate.CreateCRL is still version 1 #13931
Comments
/cc @agl |
What's happening is that v2 is being specified, but it's also set as the default value of that ASN.1 element. Therefore it's not getting written because it's the default and the element is optional. OpenSSL considers the default to be v1 and the RFC doesn't say. https://go-review.googlesource.com/#/c/20544/ sets the default to be v1 so that the version will get written out. |
CL https://golang.org/cl/20544 mentions this issue. |
I think majority applications today that use certificate/CRL uses (or expects) version 2.
Plus,I checked the source code of x509.go, the function CreateCRL uses pkix.TBSCertificateList, and line 1650 initialize the version =1.
however according to the Go DOC, quote here "TBSCertificateList represents the ASN.1 structure of the same name. See RFC 5280, section 5.1.", but RFC5280 is profile for CRLv2, not v1. so I think if TBSCertificateList following RFC5280, then the created CRL should be v2.
following is the snip of a CRL generated by Go 1.5.2 on windows/amd64:
[SVR ~]$ openssl crl -in crl.crl -text -inform der|more
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=EXAMPLEROOTCA
Last Update: Nov 10 23:00:00 2009 GMT
Next Update: Nov 10 23:00:00 2019 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:9B:C9:78:89:2F:90:86:71:98:77:87:19:98:CC:E8:09:A9:48:95:12
Revoked Certificates:
Serial Number: 01
Revocation Date: Nov 10 23:00:00 2010 GMT
Serial Number: 02
Revocation Date: Nov 10 23:00:00 2010 GMT
....
The text was updated successfully, but these errors were encountered: